Syndicated

In the ongoing battle between infosec pros and malware authors once thing is certain: Uncertainty. The bad guys are always changing tactics.

This week a security vendor noted that malicious programs have begun to incorporate evasive behaviors, and while it believes it has a solution CISOs and researchers should be aware of the problem so they know what to look for.

As David Bisson synthesizes the issue on TripWire’s blog, there are four common anti-detection techniques malware authors can use: Environmental awareness, confusing automated tools, timing-based evasion and obfuscating internal data.

The Rombertik malware leverages many of these at once, while Black POS uses only timing-based evasion to check the infected system’s time with the hardcoded time stamp on the executable.

Bisson notes there is another phenomenon called dormant functionality, which occurs when only a small subset of malicious code that could otherwise be executed under certain conditions is actually initialized. Dormant code can be found in evasive malware, but, he writes, it can also be found in non-evasive malicious samples. An advanced persistent threat vendor called Lastline has identified four scenarios:

–inability of the malware to contact a command and control server, which can make defences looking for such activity to be misled;

–inability of malware components that need to interact to load or run;

The point is there’s a need to find ways to identify these dormant functions before they awake and are able to execute. Lastline notes that dormant functions can be found in the Wild Neutron malware recently analyzed by Kaspersky Labs.

Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomedia [@] gmail.com